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DETAILED ACTION 



1. This Office action is responsive to the following communication: Amendment filed on 27 October 
2008. 

2. Claims 1-4, 6-7, 9-16, 18-20, 39-42, 44-45, 47-51, 53-54, and 56-58 are pending and present for 
examination. 



3. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued 
examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's 
submission filed on 27 October 2008 has been entered. 



4. The information disclosure statement (IDS) submitted on 27 October 2008 is in compliance with 
the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by 
the examiner. 



Continued Examination Under 37 CFR 1.114 



Information Disclosure Statement 



Response to Amendment 



5. 



No claims have been amended. 



6. 



No claims have been cancelled. 



7. 



No claims have been added. 



Claim Rejections - 35 USC§112 

8. The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification sinall conclude witin one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

9. Claims 2-4, 6-7, 9, 11-13, 15-16, 19-20, 40-42, 44-45, 47, 49-51, 53-54, and 57-58 

are rejected under 35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point 
out and distinctly claim the subject matter which applicant regards as the invention. Claim 2 recites the 
limitation "a method as recited in Claim 1" in line 1. There is insufficient antecedent basis for this 
limitation in the claim. The Examiner notes that said limitation should properly read as "the method as 
recited in claim 1." It is further noted that claims 3-4, 6-7, 9, 11-13, 15-16, 19-20, 40-42, 44-45, 47, 49- 
51, 53-54, and 57-58 are replete with similar errors. 

Claim Rejections - 35 USC§ 103 

10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

11. Claims 1-4, 7-11, 13, 16-17, 18-20, 39-42, 45-49, 51 and 54-58 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Idicula et al (U.S. Patent No. 6,950,822, hereinafter referred to 
as IDICULA), filed on 25 November 2002, and issued on 27 September 2005, in view of Deinhart et al 
(U.S. Patent No. 5,911,143, hereinafter referred to as DEINHART), filed on 14 August 1995, and issued 
on 8 June 1999, and in further view of Jensenworth et al (U.S. Patent No. 6,279,111, hereinafter referred 
to as JENSENWORTH), filed on 12 June 1998, and issued on 21 August 2001. 

12. As per independent claims 1, 10, 18, 39, 48 and 56, IDICULA, in combination with 
DEINHART and JENSENWORTH, discloses: 

A computer-implemented method for controlling access to a resource of a plurality of 
resources, the method comprising the steps of: 
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creating and storing in a filesystem of an Operating System a plurality of files that 
each represents a different resource of the plurality of resources {See 

JENSENWORTH, C4:L42-50}; 

assigning an access value to a file attribute of a file that represents the resource, 
wherein the file attribute is used by the Operating System to manage file access, 
wherein the access value corresponds to a combination of a particular role and 

the resource {See JENSENWORTH, C5:L4-21, wherein this reads over "[t]he object 72 has a 
l<ernel level security descriptor 76 associated therewith, and the object manager 74 provides the 
security descriptor 76 and the token 60 to a security mechanism" and "[t]he contents of the security 
descriptor 76 are typically determined by the owner (e.g., creator) of the object, and generally 
comprise a (discretionary) access control list (ACL) 80 of access control entries, and for each entry, 
one or more access rights"}; 

receiving user-identifying information from a user requesting access to the resource, 
wherein the user-identifying information comprises a role associated with the 
user {See IDICULA, C5:L11-13, wherein this reads over "user Information that Indicates a user of 
the associated connection, the user's roles, and the user's privileges, among other information about 
the user"}, wherein the role is determined from a user identifier uniquely 
associated with the user and from a group identifier associated with a group that 

includes the user {See DEINHART, C1:L31-36, wherein this reads over"[i]n most of the installed 
computer systems access rights are granted or revoked explicitly for individual users or group of 
users on respective data or, more generally, on respective objects by a system administrator"}; 

receiving a resource identifier associated with the resource {See idicula, C7;li9-35, 
wherein this reads over "[i]f a session Is already created for this client, a session object 122 
associated with the client is indicated in the process state object 130"}; 

creating an access identifier based on the user-identifying information and the 
resource identifier, wherein the access identifier is formatted as a file attribute 
that is used by the Operating System to manage file access {See idicula, C4:L42-56, 
wherein this reads over "session objects 122, one or more process state objects 130a, 130b, 
collectively referenced hereinafter as process state objects 130, and a session pool object 140. In 
object-oriented technologies, an object Is a data structure that stores data that Indicates one or more 
attributes or methods or both"}; 

calling the Operating System to perform a file operation on the file, wherein calling 
the Operating System includes providing the access identifier to the Operation 

System {See idicula, Cl ±52-62, wherein this reads over "[a] session is a related series of one or 
more requests for services made over a communication channel. The channel is typically established 
by the operating system of the host for the database server"; and C7:L19-30, wherein this reads over 
"[i]f a session is already created for this client, a session object 122 associate with the client is 
indicated in the process state object 130; and that session object 122 is used"}; and 

granting the user access to the resource when the Operating System call successfully 

performs the file operation {See idicula, C7:L20-21, wherein this reads over "a request is 
received from database client 102a for database services"}, wherein the Operating System 

call successfully performs the file operation if the access identifier matches the 

access value {See JENSENWORTH, C5:L15-21, wherein this reads over "[t]he security mechanism 
78 compares the security IDs in the token 60 along with the type of action or actions requested by 
the process 70 against the entries in the ACL 80. If a match Is found with an allowed user or group, 
and the type of access desired Is allowable for the user or group, a handle to the object 72 is 
returned to the process 70"}; 
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wherein tine file operation on the file representing the resource is selected from a 
group consisting of opening the file, closing the file, deleting the file, reading 
from the file, writing to the file, executing the file, appending to the file, reading 
a file attribute, and writing a file attribute {See idicula, C7:li9-30, wherein this reads 
over "[i]f a session is already created for this client, a session object 122 associate with the client is 
indicated in the process state object 130; and that session object 122 is used"}. 

While IDICULA fails to expressly disclose the determination of a role "from a user identifier 
uniquely associated with the user and from a group identifier associated with a group that includes the 
user," DEINHART discloses the grant or revocation of access rights for "individual users or group of users 
... on respective objects." Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the above invention suggested by IDICULA by combining it 
with the invention disclosed by DEINHART. 

Additionally, while IDICULA and DEINHART may fail to expressly disclose the method steps of 
assigning an access value to a fire attribute of a file and the Operating System call successfully performs 
the file operation if the access identifier matches the access value, JENSENWORTH discloses a security 
model using restricted tokens for file and resource access. Therefore, it would have been obvious to one 
of ordinary skill in the art at the time the invention was made to modif/ the above invention suggested by 
IDICULA and DEINHART by combining it with the invention disclosed by JENSENWORTH. 

One of ordinary skill in the art would have been motivated to do this modification so that where a 
user falls within a classified group of users (e.g. System Administrator or Guest), a user identifier may be 
associated with the user accordingly. 

13. As per dependent claims 2, 11, 19, 40, 49 and 57, it would be inherent for the role 
identifier and resource identifier to be stored in a first and second set of bits, respectively, since files are 
comprised of a sequence of bits. 

14. As per dependent claims 3, 20, 41 and 58, IDICULA, in combination with DEINHART and 

JENSENWORTH, discloses: 

A method as recited in Claim 1, wherein: 

the step of creating an access identifier based on the user-identif/ing information 
and the resource identifier comprises formatting the access identifier as a group 
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identifier file attribute {See DEINHART, C1:L31-36, wherein this reads over "[i]n most of the 
installed computer systems access rights are granted or revoked explicitly for individual users or 
group of users on respective data or, more generally, on respective objects by a system 
administrator"}; and 

the step of calling the Operating System to perform an operation on the file 
representing the resource comprises: 

assigning the access identifier to a group identifier attribute of an Operating 

System process {See IDICULA, C4:L42-56, wherein this reads over "session objects 122, 
one or more process state objects 130a, 130b, collectively referenced hereinafter as process 
state objects 130, and a session pool object 140. In object-oriented technologies, an object is a 
data structure that stores data that indicates one or more attributes or methods or both"}; and 

calling an Operating System routine from the Operating System process to 
perform the operation on the file representing the resource {See idicula, 
Cl:L52-62, wherein this reads over "[a] session is a related series of one or more requests for 
services made over a communication channel. The channel is typically established by the 
operating system of the host for the database server"; and C7:L19-30, wherein this reads over 
"[i]f a session is already created for this client, a session object 122 associate with the client is 
indicated in the process state object 130; and that session object 122 is used"}. 

15. As per dependent claims 4, 13, 42 and 51, IDICULA, in combination with DEINHART and 
JENSENWORTH, discloses: 

A method as recited in Claim 1, 

wherein the step of calling the Operating System to perform an operation on the file 
representing the resource comprises comparing the access identifier to an 
identifier included in an Access Control List file attribute associated with the file 
representing the resource {See DEINHART, C1:L31-41, wherein this reads over "[w]hen an 
access request occurs during operation time of the computer system from a user or, more generally, 
from a subject to the object, then the security system looks at the access control list of the respective 
object and decides whether the subject may access the object in the request manner"}, 

wherein the Access Control List file attribute includes the identifiers of all users and 
all groups of users allowed to access the file representing the resource {See 
DEINHART, Cl:L31-36, wherein this reads over "[i]n most of the installed computer systems access 
rights are granted or revoked explicitly for individual users or group of users on respective data or, 
more generally, on respective objects by a system administrator"}. 

16. As per dependent claims 7, 16, 45 and 54, the claim does not carry patentable weight since 
the claim recites the file operation of "opening the file representing the resource," which was optionally 
recited in claims 1, 10, 18, 22, 31, 39, 48 and 56 (i.e. "wherein the file operation on the file representing 

the resource is selected from a group consisting of opening the file, closing the file, deleting the file. 



reading from the file, writing to the file, executing the file, appending to the file, reading a file attribute, 
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and writing a file attribute"), upon which the said respective claims depend. Therefore, since the opening 
of the file is optional and not necessary to the claimed invention, the claim is rejected. 

17. As per dependent claims 8, 17, 46 and 55, IDICULA, in combination with DEINHART and 

JENSENWORTH, discloses: 

A method as recited in Claim 1, wherein the step of representing the resource by a file 
stored in the Operating System filesystem comprises: 

creating the file representing the resource in the Operating System filesystem {See 
IDICULA, C4:L42-56, wherein this reads over "session objects 122, one or more process state objects 
130a, 130b, collectively referenced hereinafter as process state objects 130, and a session pool 
object 140. In object-oriented technologies, an object is a data structure that stores data that 
indicates one or more attributes or methods or both'7; and 

assigning an access value to a file attribute of the file representing the resource, the 
file attribute being used by the Operating System to manage file access {See 

IDICULA, C4;L42-56, wherein this reads over "session objects 122, one or more process state objects 
130a, 130b, collectively referenced hereinafter as process state objects 130, and a session pool 
object 140. In object-oriented technologies, an object is a data structure that stores data that 
indicates one or more attributes or methods or both"}, wherein the access value 
corresponds to a combination of a role {See idicula, C5:Lii-i3, wherein this reads over 
"user information that indicates a user of the associated connection, the user's roles, and the user's 
privileges, among other information about the user"} and a resource {See IDICULA, C7:L19-35, 
wherein this reads over "[i]f a session is already created for this client, a session object 122 
associated with the client is indicated in the process state object 130"}. 

18. As per dependent claims 9 and 47, IDICULA, in combination with DEINHART and 

JENSENWORTH, discloses: 

A method as recited in Claim 8, wherein the file attribute used by the Operating System 
to manage file access is a group identifier file attribute {see deinhart, ci:L3i-36, wherein 
this reads over "[i]n most of the installed computer systems access rights are granted or revoked explicitly 
for individual users or group of users on respective data or, more generally, on respective objects by a 
system administrator"}. 

19. Claims 6, 12, 15, 44, 50 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Idicula et al, in view of Deinhart et al and Jensenworth et al, and in further view of Lewis (U.S. 
Patent No. 6,233,576, hereinafter referred to as LEWIS), filed on 25 September 1995, and issued on 15 
May 2001. 

20. As per dependent claims 6, 15, 44 and 53, IDICULA, in combination with DEINHART, 
JENSENWORTH, and LEWIS, discloses: 

A method as recited in Claim 1, the method further comprising the steps of: 
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reading a permission bit associated with the file representing the resource, wherein 
the permission bit corresponds to the operation performable on the file 

representing the resource {See lewis, C14:L6-12, wherein this reads over "derive the 
authorization file names and the permission bits (from the resource class and name), and to apply 
the appropriate permissions"}; 

based on the operation on the file indicated by the permission bit, determining a 
resource operation that is performable on the resource {See lewis, ci6:L64-ci7:L4, 
wherein this reads over "[t]he resulting access rights consist of a three bit filed with the following 
meanings . . ."}; and 

granting the user the privilege of performing the resource operation on the resource 
{See DEINHART, C1:L31-41, wherein this reads over "[w]hen an access request occurs during 
operation time of the computer system from a user or, more generally, from a subject to the object, 
then the security system looks at the access control list of the respective object and decides whether 
the subject may access the object in the request manner"} only if the permission bit allows 

the operation to be performed on the file representing the resource {See lewis, 

C17:L5-9}. 

While IDICULA and DEINHART fail to expressly disclose the use of permission bits in determining 
user privileges, LEWIS discloses the use of permission bits which signify Read, Write, or Execute 
authority. Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the above invention suggested by IDICULA and DEINHART by combining it 
with the invention disclosed by LEWIS. 

One of ordinary skill in the art would have been motivated to do this modification so that files 
may contain permission bits which allow users the permission to certain operations on the file. 

21. Claims 6, 12, 15, 44, 50 and 53 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Idicula et al, in view of Deinhart et al and Jensenworth et al, and in further view of Official Notice. 

22. As per dependent claims 12 and 50, IDICULA, in combination with DEINHART, 

JENSENWORTH, and Official Notice, discloses: 

A method as recited in Claim 10, wherein the step of making an Operating System call to 
perform an operation on the file representing the resource comprises: 

storing the group identifier value of a group identifier attribute of an Operating 

System process {See deinhart, C1:L31-36, wherein this reads over "[i]n most of the installed 
computer systems access rights are granted or revol<ed explicitly for individual users or group of 
users on respective data or, more generally, on respective objects by a system administrator"}; 

assigning the access identifier to the group identifier attribute of the Operating 
System process {See idicula, C4:L42-56, wherein this reads over "session objects 122, one or 
more process state objects 130a, 130b, collectively referenced hereinafter as process state objects 
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130, and a session pool object 140. In object-oriented teclnnologies, an object is a data structure 
tinat stores data tinat indicates one or more attributes or metlnods or botin"}; 

calling an Operating System routine from tlie Operating System process to perform 
the operation on the file representing the resource {See idicui^, ci:L52-62, winerein 

tinis reads over "[a] session is a related series of one or more requests for services made over a 
communication channel. The channel is typically established by the operating system of the host for 
the database server"; and C7:L19-30, wherein this reads over "[i]f a session is already created for 
this client, a session object 122 associate with the client is indicated in the process state object 130; 

and that session object 122 is used"}, wherein the operation on the file representing the 
resource is performed only if the value of the group identifier attribute of the 
Operating System process matches the value of the group identifier file attribute 
of the file representing the resource {See idicula, C7:L20-21, wherein this reads over "a 
request is received from database client 102a for database services'7; and 

resetting the group identifier attribute of the Operating System process to the stored 
group identifier value {See official Notice}. 

The Examiner takes Official Notice that it would have been obvious to one of ordinary skill in the 

art at the time the invention was made to reset the group identifier attribute of the Operating System 

process to the stored group identifier value. That is, where a group identifier is set, it would have been 

obvious to one of ordinary skill in the art to have the capability to reset said group identifier attribute 

accordingly. 



Response to Arguments 

23. Applicant's arguments filed 27 October 2008 have been fully considered but they are not 

persuasive. 

a. Rejections under 35 U.S.C. 103 

Applicant asserts the argument that Jensenworth fails to teach or suggest that the 
recited access value corresponds to a particular role and a resource. See Amendment, page 4. 
The Examiner respectfully disagrees. It is noted that Jensenworth discloses that the contents of 
the security descriptor comprise a discretionary access control list (ACL) for each entry and one 
or more access rights. See Jensenworth, col. 5, lines 4-21. Accordingly, wherein an access 
control list is a list of permissions attached to an object which specifies who or what is allowed to 
access the object, it would have been obvious to one of ordinary skill in the art that said access 
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control list would read upon the limitation of an "access value [which] corresponds to a 
combination of a particular role and the resource." 

Secondly, Applicant asserts the argument that Deinhart fails to teach or suggest the 
recited role. See Amendment, page 4. The Examiner respectfully disagrees. Specifically, 
Applicant asserts the argument that the cited portion of Deinhart "fails to teach or suggest that a 
role is determined from two specific identifiers: a user identifier and a group identifier." See 
Amendment, page 5. It is noted that Deinhart discloses an invention wherein access rights are 
granted or revoked explicitly for individual user or group of users. Furthermore, it is noted that 
Idicula discloses an invention wherein user information is used to indicate the user's roles and 
privileges. Accordingly, it would have been obvious to one of ordinary skill in the art that the 
combination of Idicula and Deinhart would disclose a method wherein a user would have access 
rights to an object based upon the individual user's privileges or the group's privileges to which 
the individual user belongs to. Therefore, the Examiner notes that Deinhart, in combination with 
Idicular would indeed disclose the recited claim limitation. 

Thirdly, Applicant asserts the argument that Idicula fails to teach or suggest the recited 
resource identifier. See Amendment, page 5. The Examiner respectfully disagrees. It is noted 
that Idicula discloses the use of a session object (i.e. the resource identifier) wherein the object 
(i.e. the resource) being used for the session is identified. That is, wherein a client initiates a 
session with an object, a session object associated with said object is created. 

Fourthly, Applicant asserts the argument that Idicula fails to teach or suggest the recited 
access identifier. See Amendment, page 5. The Examiner respectfully disagrees. It is noted that 
Idicula discloses a method step wherein the session object is associate with the client in the 
process state object. See Idicula, col. 7, lines 57-65. Furthermore, it is noted that during said 
method step, type I and type II information is generated to refresh and replace the information 
in the session object. Additionally, Idicula discloses that Type I information comprises of "user 
information that indicates a user of the associated connection, the user's roles, and the user's 
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privileges." See Idicula, col. 5, lines 9-18. Accordingly, it is noted that Idicula does disclose a 
method of creating an access identifier based on the user-identif/ing information and the 
resource identifier (i.e. session object), wherein the access identifier is formatted as a file 
attribute that is used by the Operating System (i.e. type I information). 

Fifthly, Applicant asserts the argument that Idicula fails to teach or suggest calling an 
Operating System to perform a file operation on a file. See Amendment, page 6. The Examiner 
respectfully disagrees. It is noted that Idicula discloses that a "channel is typically established by 
the operating system." See Idicula, col. 1, lines 52-62. Additionally, it is noted that Jensenworth 
discloses an invention wherein a Windows NT operating system is used to access files, shared 
memory and physical devices which are represented by objects. See Jensenworth, col. 4, lines 
42-65. Accordingly, it would have been obvious to one of ordinary skill in the art that the 
combination of Idicula and Jensenworth would disclose the method step of calling an Operating 
System to perform a file operation on the file. 

Lastly, Applicant asserts the argument that "Idicula fails to teach or suggest granting a 
user access to the resource only when the Operating System call successfully performs a file 
operation." See Amendment, page 7. The Examiner respectfully disagrees. It is noted that the 
prior art reference of Jensenworth discloses a security mechanism which allows a user or group 
to access the desired object. Accordingly, wherein Jensenworth is executed on a Windows NT 
operating system, it would have been obvious to one of ordinary skill in the art that the 
successful return of a handle to the object would read upon the aforementioned claim limitation. 

Accordingly, for the aforementioned reasons above, the claim rejections under 35 U.S.C. 
103 are maintained. 



Conclusion 
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24. Any inquiry concerning this communication or earlier communications from tine examiner should 
be directed to PAUL KIM whose telephone number is (571)272-2737. The examiner can normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Tony Mahmoudi can be reached on (571) 272-4078. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 
866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or 
access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Paul Kim 

Examiner, Art Unit 2169 
TECH Center 2100 



/Paul Kim/ 



